RHEA-2018:2385 and RHEA-2018:2531 rhel-system-roles bug fix and enhancement update
The rhel-system-roles package includes a collection of Ansible roles and modules that provide a stable and consistent configuration interface for managing multiple versions of Red Hat Enterprise Linux. The rhel-system-roles package is available in the Red Hat Enterprise Linux 7 Extras channel.
RHEA-2018:2385
With the RHEA-2018:2385 advisory, the network
, timesync
, kdump
, and selinux
roles of the rhel-system-roles package have received multiple bug fixes and significant enhancements to improve interface consistency, usability, and conformance to Ansible best practices.
Note that for the timesync
, kdump
, and selinux
roles, the changes are not backward compatible and it is necessary to update playbooks that use them. In particular, all the variable names now follow the common convention with a <role>_
prefix and are all lower case for consistency.
Changes in the selinux
role include:
-
The following variables have been renamed according to common conventions and to improve consistency with the selinux module:
SELinux_type
toselinux_policy
SELinux_mode
toselinux_state
SELinux_booleans
toselinux_booleans
SELinux_file_contexts
toselinux_file_contexts
SELinux_restore_dirs
toselinux_restore_dirs
SELinux_ports
toselinux_ports
SELinux_logins
toselinux_logins
-
The
selinux_change_running
variable was removed without a functional change, as the role has been always changing the running state and the variable was effectively ignored. -
Local modifications to file contexts, ports, logins, and booleans are no longer dropped by default. The modifications specified in
selinux_booleans
,selinux_file_contexts
,selinux_ports
andselinux_logins
are applied on top of pre-existing modifications. To obtain the previous behavior, set the new variablesselinux_booleans_purge
,selinux_fcontexts_purge
,selinux_ports_purge
andselinux_logins_purge
(or justselinux_all_purge
) toTrue
. -
Dictionaries that are passed to the
selinux_file_contexts
variable now provide the newstate
option, which is set topresent
by default. Setting it toabsent
drops individual modifications to file contexts. -
If the
selinux_state
orselinux_policy
variables are not defined, theselinux
role preserves previous values. Only if the SELinux policy is not defined on the system and SELinux is enabled by the role,selinux_policy
defaults totargeted
. -
Behavior in cases when a reboot is needed to apply the settings has been redefined. The
selinux
role now fails with an explanatory error message and sets theselinux_reboot_required
custom fact toTrue
. The role never reboots the managed host itself. The error needs to be handled in the playbook by using theblock
directive, and after rebooting the system, the role needs to be applied again. An example is shown in the providedexample-selinux-playbook.yml
playbook.
Changes in the timesync
role include:
-
The following variables have been renamed according to common conventions:
ntp_servers
totimesync_ntp_servers
ptp_domains
totimesync_ptp_domains
dhcp_ntp_servers
totimesync_dhcp_ntp_servers
clock_step_threshold
totimesync_step_threshold
min_time_sources
totimesync_min_sources
-
The NTP implementation can be chosen by setting the
timesync_ntp_provider
variable to eitherntp
orchrony
. Thetimesync
role detects the current provider and does not change it unlesstimesync_ntp_provider
is set. The role also sets thetimesync_ntp_provider_os_default
variable to a value that conforms to the default choice for the OS release. To set the provider consistently for all hosts running the same OS release, use the following code in the playbook:timesync_ntp_provider: "{{ timesync_ntp_provider_os_default }}"
-
The default provider was changed to
ntp
on all minor versions of the Red Hat Enterprise Linux 6 operating system for consistency. As noted above, the currently running provider will not be changed unless thetimesync_ntp_provider
variable is set.
Changes in the kdump
role include:
-
The following variables have been renamed according to common conventions:
dump_target
tokdump_target
path
tokdump_path
core_collector
tokdump_core_collector
system_action
tokdump_system_action
ssh_dump_user
tokdump_ssh_user
ssh_dump_server
tokdump_ssh_server
sshkey
tokdump_sshkey
-
The
dump_target.kind
option has been renamed tokdump_target.type
.
Changes in the network
role include:
-
MAC VLAN support has been added.
-
A bug which did not allow to disable autoconnect with the
initscripts
provider has been fixed. -
A bug where the role failed during bridge configuration with the
initscripts
provider has been fixed. -
The
network
role now allows to set the connection state todown
regardless of whether it is defined in the configuration. -
If the
interface_name
andmac
options are not given, the value of thename
option is used forinterface_name
. Settinginterface_name
to an empty string ("") specifies that the profile is not restricted to a network interface. -
The
network
role now detects the provider if thenetwork_provider
variable is not given. When NetworkManager is running, the provider is set tonm
, otherwise toinitscripts
. The role sets thenetwork_provider_os_default
variable based on the OS version.
RHEA-2018:2531
With the RHEA-2018:2531 advisory, the network
role has been updated to better represent the state of the network connections. The former state
setting was split into two settings:
state
, which represents the runtime state and accepts the valuesup
anddown
persistent_state
, which represents the on-disk saved state of the connection profile and accepts the valuespresent
andabsent
Settingpersistent_state
toabsent
ensures that the profile does not exist, if it exists, it will be deleted.
A compatibility layer ensures that all the values for state
as defined previously are still accepted. However, it is recommended to update the playbooks to use the new syntax because the old one is deprecated.
Comments